Critical Privilege Escalation Vulnerability Patched in Azure Kubernetes Service (AKS)

Microsoft has recently addressed a critical privilege escalation vulnerability in its managed Azure Kubernetes Service (AKS), potentially preventing attackers from gaining unauthorized access to confidential information and executing malicious actions within affected clusters.

According to a report by Mandiant, attackers could have exploited the vulnerability to access sensitive data and credentials for various services utilized by the AKS cluster. The flaw specifically affected AKS clusters utilizing the Azure CNI and Azure Network Policy network configuration settings, allowing attackers with command execution privileges within any pod to download configuration details for the node, including TLS bootstrap tokens used during the setup of a Kubernetes node. This could lead to a TLS bootstrap attack, allowing unauthorized access and elevated privileges within the cluster.

Mandiant identified the vulnerability as originating from the undocumented Azure component WireServer, which could be accessed by an attacker with command execution privileges on an AKS pod. By leveraging a technique published by CyberCX, researchers were able to recover TLS bootstrap tokens from WireServer and potentially gain access to critical cluster extensions and services.

The issue underscores the importance of implementing strict network policies, ensuring safe workloads, and enforcing authentication requirements for internal services within Kubernetes clusters. While Microsoft has patched the vulnerability, security teams are advised to conduct immediate audits of their AKS configurations, rotate Kubernetes secrets, enforce pod security policies, and enhance monitoring to detect any suspicious activities. By addressing these measures, organizations can mitigate the risk of similar vulnerabilities and protect against potential security threats in the future.